Frank Cox theatre@sasktel.net wrote:
I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have? <<
Correct. Modern thinking is to teach people how to create a good, strong password and then stick with it for a longer period than has traditionally been the case. A rainbow tables attack against a captured hash can be done in just a few seconds, so unless you're prepared to change your password every few seconds, it's a futile gesture.
Because most sets of rainbow tables cover all combinations of upper/lower case alpha, numeric and punctuation symbols, a strong password should contain at least one control character, a composed character (using the Alt+numpad technique) or some other non-printable character outside the rainbow tables set. Or use two-factor authentication (RSA SecurID or similar tokens, certificates, etc.).
Best,
--- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
On Tue, Jan 29, 2008 at 04:43:16PM +1100, Les Bell wrote:
Frank Cox theatre@sasktel.net wrote:
I have never understood this. If I have a good, strong password that nobody knows, how is changing it to another one an improvement over what I already have? <<
Correct. Modern thinking is to teach people how to create a good, strong password and then stick with it for a longer period than has traditionally been the case. A rainbow tables attack against a captured hash can be done in just a few seconds, so unless you're prepared to change your password every few seconds, it's a futile gesture.
Because most sets of rainbow tables cover all combinations of upper/lower case alpha, numeric and punctuation symbols, a strong password should contain at least one control character, a composed character (using the Alt+numpad technique) or some other non-printable character outside the rainbow tables set. Or use two-factor authentication (RSA SecurID or similar tokens, certificates, etc.).
Thinking about the above made me ask the following question:
Is it possible to setup Centos to ask for a change of password every month?
Thanks
Alfredo The Sauce